CVE-2026-48997

e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize method=ImageMagick, subnews attach=1, upload enabled=1, subnews resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews class and upload class. This issue has been fixed in version 2.3.6.